UniFi Identity Enterprise - Risk Score Calculations
The User Risk Score is a calculated number (score) that reflects the risk severity level. Typically, risk scores are calculated by multiplying the user's risk probability, what it might impact, and weighting in other related factors when required.
Weighting factors
Factors | Weight |
Sign-in velocity | 10% |
IP | 30% |
Location | 20% |
Device | 20% |
Workhour | 10% |
Velocity | 10% |
Architecture
- The system risk scoring service calculates the risk score based on events, such as sign-in, IP, location, and more. It structuralizes the data and then stores it in the database.
- If a user’s action meets the risk level conditions set by the administrator in the security policy, then the system risk scoring service will calculate a risk score.
- After the risk score is generated, the policy service will check whether the risk score matches the conditions set in the security rule.
Note: The risk score is an integer between 0 to 100.
Calculation Factors
Sign-In Velocity
Calculates the risk factor based on the sign-in rate in a minute.
Note that every time a user logs in within a minute, the risk score increases by 5 points. If the user logs in more than 5 times within a minute, the score is calculated as thus:
Equation: Sign-in Velocity Score = Sign-in Attempts * 5 + Sign-in Attempts - 5) * Sign-in Attempts
Examples:
- If you log in 3 times within the last minute, then your sign-in velocity score will be calculated as thus:
Sign-in Attempts = 3
Sign-in Velocity Score = 3 * 5
15
- If you sign in 7 times at the last minute, then your risk score will be:
Sign-in Attempts = 7
Sign-in Velocity Score = 7 * 5+ (7-5) * 7
= 35+2*7
= 35+14
= 49
IP
Calculates the risk factor based on the IP scores. The IP score uses a base score for calculations.
The base score uses the time window between two consecutive sign-ins as in the following table:
Time | Base Score |
Within 24 hours | 10 |
Within 72 hours | 20 |
Within 168 hours | 30 |
Within 336 hours | 50 |
Within 504 hours | 70 |
Within 720 hours | 80 |
Outside of 720 hours | 90 |
Equation: IP score = Base score - Times appeared in the past month
Example
If you signed in UniFi Identity Enterprise using an IP within 72 hours of your last sign-in time, and you have used this IP to sign in UniFi Identity Enterprise 5 times in the past month then your IP score will be calculated as thus:
Base score = 20
Times appeared in the past month = 5
IP score = 20-5
= 15
Location
Calculates the risk score based on the users' geographic location. The risk score calculations use a base score that checks for matched location fields.
Location base score table:
Time | Base Score |
Country, state, and city all matched | 40 |
Country and state matched | 60 |
Only country matched | 80 |
New country | 100 |
Equation: Location score = Base score -Times appeared in the past month
Example:
- A user signed in to a UniFi Identity Enterprise workspace from Los Angeles, California, the United States 3 times in the past month, then their location score will be:
Base score= 40
Times appeared in the past month: 3
Location score = 40 - 3
= 37
- Now, the same user signs in from San Francisco, California, U.S. for the first time. The user's score is adjusted to the following:
Base score = 60
Times appeared in the past month: 1
Location score = 60 - 1
= 59
Device
Calculates the risk score based on the sign-in device.
- The base score of a user device recorded in the system ESM Service is set to 50, but the base score will be set to 100 when a user signs in with a new device for the first time.
- Different browsers on the same device will be regarded as different devices.
Equation: Device score = 50 - Times the device appeared
Example:
- A user signed in to a UniFi Identity Enterprise workspace using a registered mobile phone in UniFi Identity Enterprise’s ESM Service 3 times in the past month.
Base score = 50
Times device appeared = 3
Device score = 50 - 3
= 47
- Now, the same user signs in using the same device but through a new network browser.
Base score = 100
Times device appeared = 3
Device score = 100 - 3
= 97
- The same user then changes their phone at the end of the month and the number of sign-ins increases to 5 times in the past month.
Base score = 100
Times device appeared = 5
Device score = 100 - 5
= 95
Workhour
Calculates the risk score based on the site’s working hours.
If a user signs in during the site’s working hours, their base score is set to 30. For every sign-in outside of normal work hours, the user’s risk score increases by 10 points per hour after the site’s closing time.
Equation: Workhour score = 30 + 10 * [Hours past closing time]
Example:
The work hours of a site are 9:00-18:00. A user signs in to the site UniFi Identity Enterprise workspace at 20:00, then the score is calculated as thus:
Hours past closing time = 20:00-18:00
= 2
Workhour score = 30 +10*2
= 30 +20
= 50
Velocity
The geographic distance and time elapsed between two successive sign-ins are used to calculate the sign-in attempt speed. The following table is then used to calculate a score. Note: The default velocity is 805 km/h (500 mph).
Velocity | Score |
Within 100KM/H | Speed * 0.15 |
Between 100 - 300 KM/H | Speed * 0.15 |
Between 300 - 500 KM/H | Speed * 0.12 + 4 |
Between 500 - 800 KM/H | Speed * 0.12 + 4 |
More than 800 KM/H | 100 |
Not enough data to calculate speed | 30 |
-
Final risk score
Equation: Final risk score = Sign-in velocity score * 10% + IP Score * 30% + Location Score * 20% + Device Score * 20% + Workhour Score * 10% + Velocity * 10%
Example:
If a user has the following scores:
- Sign-in velocity score= 49
- IP score = 15
- Location score = 59
- Device score = 47
- Workhour score = 50
- Velocity = 100
Then their final risk score will be calculated as:
Final risk score = 49 * 10% + 15 * 30% + 59 * 20% + 47 * 20%+ 50* 20% + 100 * 10%
= 4.9+4.5+11.8+9.4+10+10
= 50.6
Based on the above example's final risk score, the system classifies the user’s risk score as Medium Risk.